coreos-base/google-oslogin: Update to 20200910

This change updates to the latest oslogin version provided by Google. Since our last update, this was split into a different repo and the directory structure changed significantly. It also added group support, which needed to be added to the nsswitch.conf file that we ship. Flatcar users require docker group permissions, so ensure oslogin gives that permission by shipping a separate group.conf file that gets installed when oslogin is enabled.
2025-08-18 21:11:08 +02:00 · 2020-09-17 15:36:03 +02:00 · 2020-09-17 15:36:03 +02:00 · db3bd0f9f8
commit db3bd0f9f8
parent ecc026209b
7 changed files with 33 additions and 23 deletions
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin
@ -27,3 +27,4 @@ ln -f -s '/usr/share/google-oslogin/pam_sshd' '/etc/pam.d/sshd'
 ln -f -s '/usr/share/google-oslogin/nsswitch.conf' '/etc/nsswitch.conf'
 ln -f -s '/usr/share/google-oslogin/sshd_config' '/etc/ssh/sshd_config'
 ln -f -s '/usr/share/google-oslogin/oslogin-sudoers' '/etc/sudoers.d/oslogin-sudoers'
+ln -f -s '/usr/share/google-oslogin/group.conf' '/etc/security/group.conf'
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest
@ -1 +1 @@
-DIST 20180611.tar.gz 143678 SHA256 f71bdc6d01cff014bb4d066096be9a6e067fd3028c730cc4c9557001ec99ab6e SHA512 9e94cdda66f9b45dbb0ade25ce2dabbcc38c96b7c6f94a09bfef80f1611e7fe0233578ccc55f76530dca16f4ee261a22c05ae12b76ce527734be50b856caca3e WHIRLPOOL f37f980686924003570567e77ec1b740a7ce538a03917d01757f2599a595c17f8babd32184ca26b6075df14de1e5da2876f5eb3111141d442c1571e043350b8d
+DIST 20200910.00.tar.gz 42599 BLAKE2B 6c2917f03277834e54050e5bf94943dc311c70e3150247b91cee5835b09fb197686788373ab8cdff4f3f8e4baa85dd515bcb22a99530475bd7c3991d1d272ece SHA512 575813becdd7046b9c5813f33aad440737df6d0fa1d9345f8f4340fda4bc348b27860231ed163196cf06609fd3311fe2bbf45486c260c45a0a38795a95f09834
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch
@ -4,14 +4,14 @@ Date: Fri, 6 Jul 2018 15:54:40 -0700
 Subject: [PATCH] pam_module: use /var/lib/ instead of /var

 ---
- google_compute_engine_oslogin/pam_module/pam_oslogin_admin.cc | 2 +-
- google_compute_engine_oslogin/pam_module/pam_oslogin_login.cc | 2 +-
+ guest-oslogin/src/pam/pam_oslogin_admin.cc | 2 +-
+ guest-oslogin/src/pam/pam_oslogin_login.cc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

-diff --git a/google_compute_engine_oslogin/pam_module/pam_oslogin_admin.cc b/google_compute_engine_oslogin/pam_module/pam_oslogin_admin.cc
+diff --git a/guest-oslogin/src/pam/pam_oslogin_admin.cc b/guest-oslogin/src/pam/pam_oslogin_admin.cc
 index 04d0808..376916e 100644
--- a/google_compute_engine_oslogin/pam_module/pam_oslogin_admin.cc
-+++ b/google_compute_engine_oslogin/pam_module/pam_oslogin_admin.cc
+--- a/guest-oslogin/src/pam/pam_oslogin_admin.cc
+++ b/guest-oslogin/src/pam/pam_oslogin_admin.cc
@@ -36,7 +36,7 @@ using oslogin_utils::ParseJsonToEmail;
 using oslogin_utils::UrlEncode;
 using oslogin_utils::kMetadataServerUrl;
@ -21,10 +21,10 @@ index 04d0808..376916e 100644
 
 extern "C" {
 
-diff --git a/google_compute_engine_oslogin/pam_module/pam_oslogin_login.cc b/google_compute_engine_oslogin/pam_module/pam_oslogin_login.cc
+diff --git a/guest-oslogin/src/pam/pam_oslogin_login.cc b/guest-oslogin/src/pam/pam_oslogin_login.cc
 index 9e708f4..428600b 100644
--- a/google_compute_engine_oslogin/pam_module/pam_oslogin_login.cc
-+++ b/google_compute_engine_oslogin/pam_module/pam_oslogin_login.cc
+--- a/guest-oslogin/src/pam/pam_oslogin_login.cc
+++ b/guest-oslogin/src/pam/pam_oslogin_login.cc
@@ -36,7 +36,7 @@ using oslogin_utils::ParseJsonToEmail;
 using oslogin_utils::UrlEncode;
 using oslogin_utils::kMetadataServerUrl;
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/group.conf
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/group.conf
@ -0,0 +1,2 @@
+# Instruct oslogin to add the docker group to user that login via ssh
+sshd;*;*;Al0000-2400;docker
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/nsswitch.conf
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/nsswitch.conf
@ -2,7 +2,7 @@
 # Keep this in sync with nsswitch.conf from coreos/baselayout
 passwd:      files usrfiles sss systemd cache_oslogin oslogin
 shadow:      files usrfiles sss
-group:       files usrfiles sss systemd
+group:       files usrfiles sss systemd cache_oslogin oslogin

 hosts:       files usrfiles dns myhostname
 networks:    files usrfiles dns
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/pam_sshd
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/pam_sshd
@ -1,9 +1,12 @@
+# Needed for oslogin support (needs to be prepended)
+auth       [default=ignore] pam_group.so
+auth       [success=done perm_denied=die default=ignore] pam_oslogin_login.so
+account    [success=ok default=ignore] pam_oslogin_admin.so
+account    [success=ok ignore=ignore default=die] pam_oslogin_login.so
+session    [success=ok default=ignore] pam_mkhomedir.so
+
 # Keep this file in sync with the net-misc/openssh/files/sshd.pam_include.2
 auth       include	system-remote-login
 account    include	system-remote-login
 password   include	system-remote-login
 session	   include	system-remote-login
-# Needed for oslogin support
-account    requisite    pam_oslogin_login.so
-account    optional     pam_oslogin_admin.so
-session    optional     pam_mkhomedir.so
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00.ebuild
@ -4,8 +4,8 @@
 EAPI=6

 DESCRIPTION="Components to support Google Cloud OS Login. This contains bits that belong in USR"
-HOMEPAGE="https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/google_compute_engine_oslogin"
-SRC_URI="https://github.com/GoogleCloudPlatform/compute-image-packages/archive/${PV}.tar.gz"
+HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin"
+SRC_URI="https://github.com/GoogleCloudPlatform/guest-oslogin/archive/${PV}.tar.gz"

 LICENSE="Apache-2.0"
 SLOT="0"
@ -22,7 +22,7 @@ DEPEND="

 RDEPEND="${DEPEND}"

-S=${WORKDIR}/compute-image-packages-${PV}/google_compute_engine_oslogin
+S=${WORKDIR}/guest-oslogin-${PV}/

 src_prepare() {
 	eapply -p2 "$FILESDIR/0001-pam_module-use-var-lib-instead-of-var.patch"
@ -30,18 +30,21 @@ src_prepare() {
 }

 src_compile() {
-	emake CC="$(tc-getCC)" CXX="$(tc-getCXX)" JSON_INCLUDE_PATH="${ROOT%/}/usr/include/json-c"
+	emake CC="$(tc-getCC)" CXX="$(tc-getCXX)" \
+            VERSION=${PV} \
+            JSON_INCLUDE_PATH="${ROOT%/}/usr/include/json-c"
 }

 src_install() {
-	dolib.so libnss_cache_google-compute-engine-oslogin-1.3.0.so
-	dolib.so libnss_google-compute-engine-oslogin-1.3.0.so
+	dolib.so src/libnss_cache_oslogin-${PV}.so
+	dolib.so src/libnss_oslogin-${PV}.so

 	exeinto /usr/libexec
-	doexe google_authorized_keys
+	doexe src/google_authorized_keys
+	doexe src/google_oslogin_nss_cache

-	dopammod pam_oslogin_admin.so
-	dopammod pam_oslogin_login.so
+	dopammod src/pam_oslogin_admin.so
+	dopammod src/pam_oslogin_login.so

 	# config files the base Ignition config will create links to
 	insinto /usr/share/google-oslogin
@ -49,4 +52,5 @@ src_install() {
 	doins "${FILESDIR}/nsswitch.conf"
 	doins "${FILESDIR}/pam_sshd"
 	doins "${FILESDIR}/oslogin-sudoers"
+	doins "${FILESDIR}/group.conf"
 }